Moving Safely From Detection To Automated Action

Many companies remain cautious of automating their security systems, leery of the possible business interruptions that could happen when a mistake gets propagated across their systems.

Yet, the complexity that the average information security manager or chief information-security officer has navigate means that automation is no longer an option, but a mandate, say security experts. Adding up the threats that need to be tracked, the vulnerabilities that must be mitigated, and the users that need to be cared for results in a stark calculus for the defenders, says Mike Lloyd, chief technology officer of RedSeal Networks, a network-management firm.

Companies that do not focus on automating their monitoring and response to incidents are likely missing threats to the their business, he says. While worries over automation are natural, they are placing defenders at a disadvantage because attackers have no qualms about multiplying their impact with automated programs and systems.

"The attackers have moved up to automated weaponry, while the defenders are still using bows and arrows," Lloyd says.

The distrust of automation is so pervasive that, despite the commoditization of intrusion prevention systems over the past decade, many companies continue to use their appliances to merely detect threats, he says.

Yet, automation done wrong can be worse than the threats. Bad things can happen when automation ends up propagating an error. Take the March incident that downed Internet load-balancing service CloudFlare for more than an hour. The company analysis of an on-going attack resulted in an odd router rule. Despite the fact that the rule attempted to filter out packets that could not exist on the Internet, an analyst pushed out the rule to every edge router. Making matters worse, the rule crashed the routers.

"What should have happened is that no packet should have matched that rule because no packet was actually that large," the company wrote in a March 3 post. "What happened instead is that the routers encountered the rule and then proceeded to consume all their RAM until they crashed."

Greater efficiency means more time for defense
Companies should start their automation efforts by looking for workflows that generate few false positives or errors, and automate those first. While such efforts may not directly result in a greater likelihood of detecting attackers, they will free up defenders to pursue other analyses and investigations, and so indirectly will strengthen defenses, says Dan Kuykendall, chief technology officer and co-CEO of NT OBJECTives, an application security firm.

"It is not just about automation, but about efficiency," he says. "If you are in a scenario where your scanner tells you that you have 20 or 30 vulnerabilities, sitting down and hand-writing filters is generally out of reach for most people. Having that automated piece is very efficient."

[With a federal agency deadline for Federal Information Security Management Act (FISMA) compliance reporting through the new automated tool already past, security experts believe the government still has a long way to go. See Continuous Monitoring Still A Long Way Off For The Feds.]

Overall, the degree of automation should depend on the accuracy of the detection systems: If the system produces a lot of false positives, then automation will likely be error-prone. In that case, having a human--or more than one expert--in the loop is necessary. Vulnerability scanners can automatically generate rules that can then be added to a network firewall or a Web application firewall, but the system's manager should review the response.

"When you observe something, you want to see that the accuracy is very high before automating the response," says Chris Petersen, chief technology officer and co-founder of log management firm LogRhythm, warning that "other security alerts, such as those resulting from behavioral analytics, are not going to be as concrete as that."

The level of oversight also depends on the action take in response. Blocking access to a public Web server is a serious measure, so a manager should sign off on the change. Responses to other types of alerts, such as disabling the account of a user from which suspicious activity has been detected, could be done automatically, says Petersen.

"The impact of a disabled account is relatively minor--the user may be unproductive for a couple of hours," he says.

Standardization is needed
Another road block to automating the response to threats is that detection systems and response systems do not typically speak the same language. Vulnerability management systems will likely list issues in the Common Vulnerability and Exposures (CVE) format, while intrusion prevention systems generally have a proprietary way of expressing vulnerabilities in terms of signatures, says RedSeal Networks' Lloyd.

"The industry is letting their customers down by not integrating their products well," he says.

Companies that are planning to tie systems together to better automate them should look at the Security Content Automation Protocol (SCAP), a standard developed by the U.S. National Institute of Standards and Technology for allowing interoperability between security devices.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.